Integrate OIDC Support with Okta

This procedure provides instructions for integrating MicroStrategy Web with Okta. For more information, see the Okta documentation.

• Create an Application

• Configure MicroStrategy Library in Workstation

• Configure and Enable OIDC Auth Mode for MicroStrategy Web/MicroStrategy Mobile

Create an Application

1. Log in as an Okta administrator and go to the Admin page.

2. Go to Applications and click Create App Integration.

3. Select OIDC - OpenID Connect and Native Application.

4. Click Next

5. Under General Settings, enter the App integration name.

6. Confirm that Authorization Code and Refresh Token are checked in the Grant type.

7. Add the following Web, Mobile, Library and Desktop application URIs under Sign-in redirect URIs. Replace the environment-specific URIs with your environment name.

   • https://env-xxxxxx.customer.cloud.microstrategy.com/MicroStrategyLibrary/auth/oidc/login

   • com.microstrategy.hypermobile://auth

   • com.microstrategy.dossier.mobile://auth

   • https://env-xxxxxx.customer.cloud.microstrategy.com/MicroStrategyLibrary/static/oidc/success.html

   • local://plugins

   • http://127.0.0.1

   • http://127.0.0.1:51892

   • http://127.0.0.1:51893

   • http://127.0.0.1:51894

   • http://127.0.0.1:51895

   • http://127.0.0.1:51896

   • http://127.0.0.1:51897

   • com.microstrategy.mobile://auth

   • https://env-xxxxxx.customer.cloud.microstrategy.com:443/MicroStrategy/auth/oidc/login

   • https://env-xxxxxx.customer.cloud.microstrategy.com:443/MicroStrategyMobile/auth/oidc/login

8. Click Save.

9. Go to the Assignments tab and assign users.

10. On the General tab, under Client Credentials, take note of the client ID for future reference.

    

11. Select the Sign On tab. Under the OpenID Connect ID Token, take note of the issuer for future reference.

12. Next to OpenID Connect ID Token, click Edit. In the Groups claim filter, choose Matches regex, enter a value of .*, and click Save.

    

13. Select the Assignments tab and verify that the users that need to access the application are assigned.

14. Click Okta API Scopes and grant okta.apps.read, okta.groups.read, and okta.users.read scopes to the application.

Configure MicroStrategy Library in Workstation

1. Open Workstation and connect to the Library environment using standard authentication with an admin privilege user.

2. Right-click on the connected environment. Under Configure Enterprise Security, select Configure OIDC.

3. Select Okta as the identity provider from the dropdown in the first step.

4. Verify that all URIs mentioned in the second step are already added to the Okta application.

5. Provide the Client ID and Issuer for the Okta application in the third step.

6. Verify the default User claim mappings and Import user at Login setting.

7. Click Save. This automatically creates a trust relationship between Library Web server and Intelligence server, and enables OIDC authentication mode.

Configure and Enable OIDC Auth Mode for MicroStrategy Web/MicroStrategy Mobile

The procedure below refers to MicroStrategy Web. However, the same information applies to MicroStrategy Mobile unless otherwise noted.

1. Go to the MicroStrategy Web admin page.

   https://env-xxxxxx.customer.cloud.microstrategy.com/MicroStrategy/servlet/mstrWebAdmin

2. Locate the connected Intelligence server and click Modify.

3. Click Setup next to the trust relationship between the Web server and MicroStrategy Intelligence server.

4. Enter the user credentials with admin privileges and click Create Trust Relationship.

5. In the navigation pane, click Default properties and enable OIDC Authentication.

6. Under OIDC Configuration, complete the remaining fields.

   Client ID Enter the client ID of your Okta application.

   Client Secret This field is only required when the Okta application is a Web app. If you deployed a Public client/native app in Create an Application, you can leave this field blank.

   Issuer Enter the Issuer of your Okta application.

   Native Client ID This is the same as the client ID, unless configured otherwise.

   Redirect URI The default web redirect URI. This should not be changed unless configured otherwise.

   Scope The scopes used by MicroStrategy to authorize access to a user. To log into the Mobile admin page with OIDC, add "groups" to the scope.

   Claim Map

   • Full Name The user display name attribute. The default value for this field is name.

   • User ID The user distinguished login attribute. The default value for this field is email.

   • Email The user email address attribute. The default value for this field is email.

   • Groups The user group attribute. The default value for this field is groups.

   Admin Groups Select admin groups whose members can access to the admin pages. You can have multiple admin groups.

   ["WebAdmin","SystemAdmin"]
   Members belonging to WebAdmin and SystemAdmin can access the admin pages.

7. Click Save. For more information, see Enabling OIDC Authentication for JSP Web and Mobile.

Restart the Web server after completing all the above steps for the changes to take effect.